This is a part of a test with this wordpress plugin which is basically a license manager. I am trying to understand the internals of the system. Here is how it works.
Once the plugin is activated, it generates a private key 55d0ec3f9db414.02268045 using a simple function 'lic_verification_private_secret' => uniqid('', true). Now, when someone makes a purchase of an item eg. a wordpress plugin, a public license key 55d5d22ab70d2 is generated (using uniqid()). The public key is then sent to the customer's email id. The customer inputs that key into his site and sends a request to the license server. Below is a function about how the license manager plugin @server matches the private key with public key.
static function verify_secret_key() {
$slm_options = get_option('slm_plugin_options');
$private_secret_key = $slm_options['lic_verification_private_secret'];
$public_key = strip_tags($_REQUEST['secret_key']); //this is sent in the query string
if ($public_key == $private_secret_key) {
// send a message back to client saying the key is verified.
}
All this works, so basically where I am stumped is how the below equation is valid ? What part of the picture am I missing ?
55d5d22ab70d2 == 55d0ec3f9db414.02268045
Update - I have performed this test and it echoes false which i guess is obvious.
echo '55d0ec3f9db414.02268045' === '55d5d22ab70d2' ? 'true' : 'false';
Shared secret key:
function generate_signature($message, $secret) {
$serialized_message = serialize($message);
return md5($serialized_message . $secret);
}
$secret = "i like pie";
$content = array(
"i like" => "pie",
"pancakes" => "are also nice"
);
$message = serialize(array(
"signature" => generate_signature($content , $secret),
"content" => $content
));
// send the message
$message = unserialize($_POST["message"]);
$signature = generate_signature($message["content"], $secret);
if ($signature === $message["signature"]) {
echo "ok";
} else {
echo "you don't like pie?";
}
The secret key can be the license btw, since that's what you want to keep secret.